On 01/04/2014 12:02 PM, Israel wrote:
The best way to protect your system is in how you interact with the
internet. And install all security updates (especially Java, IMO)
Israel and all:
Here is more information regarding your Java concerns.
If you don't have Java, no Java applet or application will run at all.
However, with Java, your applications (GUI and all) will run on any
machine having the Java Virtual Machine (JVM). No compiling, linking,
or anything is required. You can just copy the '.jar' file containing
the application to your machine, and it runs - regardless what OS is used.
The same program works for Windows, Mac OS X, Linux, Unix, or whatever.
So you can probably understand what a useful thing this is to have.
There are two aspects of using Java applications. First, there are Java
applets that run in your browser (client-side), and second, there are
Java applications you can install on your machine using Java Web-Start
(icedtea/netx).
With browser-based Java applets, it attempts to run the applet when you
browse the page having the Java applet. Browser based applets run in a
sandbox, so they are limited in what they can and can't do.
For example, the video games on my personal web-site can't save
parameters and keep track of high-scores. You have to specify the
parameters each time you play it.
Any Java applet has to be signed. Signed code ensures that the checksum
of the code matches what is proposed to be run. But currently they can
be self-signed. In a Java update soon to come, only trusted
signing-certificates will be allowed.
Currently, browsers won't just run browser-based applets. A security
dialog appears, indicating an applet wants to run, and if you don't give
it permission to run, it won't. A text message will appear on the
web-page in place of the applet.
An example of a browser based Java applet is the link you can click on
Oracle's www.java.com website, used to determine if your (Windows)
system currently has the latest version of Java. It runs only if you
allow it (as described in the prior paragraph), and it does have a
trusted code-signing certificate.
Separate from the browser-based applets, are applications you install
via Java Web-Start. They cannot just run - you have to click on links
to install them. If there were a link to surreptitiously do such an
install, the process of installing will explicitly state what is being
done, and you have to give it permission to proceed.
Some browsers (Safari, for example), will not download the launcher
(.jnlp file) when you click on such a link. If you right-click
(2-finger click) on it, you can choose to download the launcher file.
Then you have to browse to it and double-click it, and again (as stated
above), the system will inform you that you are doing an installation,
displaying the certificate information, and require your permission to
proceed.
Again, these must have a code-signing certificate, and soon self-signed
certificates will not be allowed (it must be a trusted, revocable
certificate). In addition, applications deployed from the web also
indicate internally (checksum-protected) the URL they come from, and
that information must agree with the launcher file, or it will not be run.
As with browser-based applets, Java applications normally must run
within a 'sandbox'. But if your application interfaces with
device-drivers (ALSA, for example), you will have to request additional
permissions. The user is informed of this request, and must consent to
it in order for the application to be allowed to run.
Anyway, this is quite long-winded, but I think it is always better to
have an understanding of something, rather than only a fear or distrust
of it.
--
Sincerely,
Aere
--
Lubuntu-users mailing list
Lubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/lubuntu-users
